Vulnerability in Ask.com Toolbar Deemed Serious

A new report spells doom for Ask.com, a search engine that is 11 year old and a name in the global search business where the likes of Google, Yahoo and MSN hold sway.

Security advisories have found vulnerability in Ask.com's toolbar for the IE (Internet Explorer) that may allow an attacker to take control of a user's computer.

An advisory posting by security vendor Secunia APS revealed that a boundary fault in the askBar.dll (AskJeevesToolBar.SettingsPlugin.1 ActiveX control) in handling the "ShortFormat" property is responsible for the vulnerability, rating the flaw as severely critical - the second most dangerous rating. On assigning an excess string of 500 bytes to affected property, it can be exploited to result in a stock-based buffer overflow.

With successful exploitation, an arbitrary code can be executed. Version 4.0.2 confirms the vulnerability, while other versions also might be influenced.

An individual by the name of Joey Mengele is supposed to have detected the flaw. The proof-of-concept exploitation codes for the flaws had been posted publicly on some other revelation forums.

WabiSabi Labi, a Swiss company specializing in vulnerability information, was continuing its auction of the Ask.com toolbar problem for as low as €500 ($705) despite no bids being listed, on 25 September 2007 afternoon local time.

The auction has affected security analysts, as they believe that the companies ought to be discreetly intimidated of the vulnerabilities to enable them to patch the software to save the users from the danger. The company continues that security researchers must be rewarded for their efforts.

TechWhack quoted Nicholas Graham, Vice-President and Spokesperson for Ask.com, as saying that Ask.com takes security matters very seriously. They were informed of the buffer overflow matter in the IE toolbar of Ask.com, and had worked hard to fix it. On 26 September 2007, they released fix for the flaw, and all the users of the Ask.com toolbar were automatically informed of the update. In addition to that, they posted information online through the FAQ site of their IE toolbar that informed the users of Ask.com toolbar about the issue and the fix. No exploits had occurred again.